Overview (CVE-2021-34527 and CVE-2021-1675) :
The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well.
|CVE-2021-34527||CVSS:3.0 8.8 / 8.2|
|CVE-2021-1675||CVSS:3.0 7.8 / 6.8|
Cause And Impact:
The RpcAddPrinterDriverEx() function is used to install a printer driver on a system.
One of the parameters to this function is DRIVER_CONTAINER object which contains information about which driver is to be used by added printer.
The argument, dwFileCopyFlags specifies how replacement printer driver files are to be copied.
Attacker can take the advantage as:
- Any authenticated user can call RpcAddPrinterDriverEx() function and and specify a driver file that lives on a remote server.
- Hence spoolsv.exe (print spooler service) can execute code in an arbitrary DLL file.
CVE-2021-1675 was addressed by the June 2021 security update by Microsoft.
On July 1, Microsoft released CVE-2021-34527. This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx().
Microsoft has addressed this issue in the updates for CVE-2021-34527.
however this update doesn’t effectively prevent in certain conditions (NoWarningNoElevationOnInstall is set to a non-0 value)
Hence Microsoft has provided multiple workarounds:
1) Stop and disable Print spooler service.
Below commands can be used to disable print spooler services.
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
However kindly note, we cannot print both locally and remotely.
2) Block RPC and SMB ports at firewall:
Blocking both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level can prevent remote exploitation of this vulnerability.
3) Set Registry key:
Following registry settings are set to 0 (zero) or are not defined
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting
NoWarningNoElevationOnInstall = 1 makes your system vulnerable by design.
4) Restrict printer driver installation ability to administrators :
After the Microsoft update for CVE-2021-34527 is installed, a registry value called RestrictDriverInstallationToAdministrators in the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ key is checked, which is intended to restrict printer driver installation to only administrator users
Please refer KB5005010 for more details.